Drone Advice chats with Danny Garcia, Senior Director of Certification and Training Evangelist at Cellebrite, about the latest in drone digital forensics. Cellebrite empowers law enforcement, military and intelligence, and corporate customers with relevant and defensible digital evidence to build stronger cases and more effective operations.

DroneAdvice: How did you get into the niche field of drone digital forensics?

Danny: I began in the field of digital forensics during my previous career as a law enforcement officer in Miami, Florida. The last seven years of my career, I was the Sergeant of the Digital Forensics laboratory with the Miami-Dade Police Department. As an avid photographer, I started flying drones in 2013 – in fact, I still have my DJI Phantom Vision II with an aftermarket gimbal modification.

Having been involved in digital forensics since 2004 and known within our training division as a drone pilot, when Cellebrite came out with support for drone extraction and decoding, I was immediately interested in exploring the data.

Source: Cellebrite
DroneAdvice: Tell us a bit about how Cellebrite fits into the global drone ecosystem.

Danny: Cellebrite is the recognized world leader in digital intelligence. Although the clear majority of drones are used by people like me to capture stunning photos and videos from a totally different perspective, there are those who elect to use these devices to deliver drugs, weapons, and conduct reconnaissance missions to facilitate crime. Cellebrite fits into the global drone ecosystem by providing investigators the ability to extract and decode data from drones and associated peripherals in the small unmanned aerial system.

DroneAdvice: Some people might be surprised by what type of data can be pulled from a drone autopsy. Could you provide an overview of the type of elements that comprise a complete drone system along with a couple of the more surprising things that can be found through drone forensics?

Danny: A Small Unmanned Aircraft System (sUAS) is made up of the small unmanned aircraft (the drone itself), the communication links, and the components which control the small unmanned aircraft (sUA). We often see a reference to a Control Station (CS) or Flight Controller (FC) which is used by the remote pilot to control the sUA. Also, with most of these systems, investigators will find an associated mobile device (or tablet) which acts as a display, controls the camera, and can even be used to plan flights and control other unique settings like autonomous flights.

Source: Cellebrite

As everyone likely knows, most drones are equipped with a Global Positioning System (GPS) which assist the operator in everything from take-off to in-flight navigation and landing. One of the most common GPS coordinates sought by investigators is the home point. Immediately after a drone takes off, most of them will send the coordinates back to the flight controller. Depending on the system setup, these coordinates may be found on the flight controller or the associated mobile device which is attached either wirelessly or via cable to that system.  The GPS information typically stored includes coordinates, altitude, and timestamps. Decoding the recovered GPS data allows the investigator to present past location information as possible evidence to support the case being investigated.

As you have seen from our site, Cellebrite offers the Drone Investigation Training course. Although we could have likely developed this course with readily available drone data downloads, we knew it was important for our instructors to have the first-hand experience piloting the devices. This way, we could not only explain the data analysis side but also attribute it to personal experiences and relay this to our students in the classroom. As the lead developer of this class, I obtained my commercial remote pilot certification from the Federal Aviation Administration to ensure compliance with applicable laws.

Investigators should know that data exists within the UA, FC, and associated mobile devices. Independent research into drone data analysis has shown that information found in separate components match from one to the other. There are many different data artefacts we explore in our class that include but are not limited to: MAC addresses, registered owner information, and of course the flight records.

Source: Cellebrite

Details that should be expected to be recovered during an sUAS examination includes location, timestamps, flight duration, take-off and landing points, photos and videos among other relevant information. Regardless of the data recovered, I would like to remind investigators of the importance of interviewing witnesses and survey possible video surveillance footage to prove the suspected activity. Investigators should also be aware that if they recover a mobile phone or tablet (without the drone itself), the DJI applications record most of the data they will need linking to a pilot’s actions.

DroneAdvice: We notice that Cellebrite offers a webinar on accessing digital data from drones to combat crime. Tell us a little bit more about this webinar and how any Drone Advice readers in law enforcement and security industries might benefit from it.

Danny: This particular webinar discusses some of the trends involving criminal activity using drones, and how the evolving field of digital drone forensics is enabling investigative teams to identify and understand sources of digital evidence from drones and how to leverage data and other digital intelligence from drones to formulate hypotheses and create investigative leads. I recommend those interested in this field who have not yet been exposed to this webinar to make their way over and watch it when they can.

DroneAdvice: What are your thoughts on the ‘Gatwick’ incident and on drone remote ID?

Danny: I monitored the incident and personally have no problem with remote drone ID or drone detection systems. From what I understand, there are still rumours circulating that the Gatwick incident was caused not by drones, but by radio tower lights in the distance which were mistakenly identified as UAS’.

There are notional and actual systems deployed for UAS detection to include the use of RADAR, geofencing, radio frequency signal detection, acoustic sensors, and computer vision. By combining a detection system with a properly implemented interception and ‘disruption’ system, an unauthorized UAS’ trajectory over a restricted area may be thwarted.

These systems are not perfect of course. The evolution of ‘micro drones’ can be a challenge for the detection systems mentioned, as are autonomous (non-RF emitting) UAS.’ Those individuals seeking to cause harm or havoc with drones will develop ways to get around the deployed systems – we must remain vigilant and continue learning whatever we can from the data which is extracted from devices once recovered.

You can follow Danny on Twitter @danmiami or on Instagram @danmiami.